Computer Ethics, Fall 2010 Week 7

October 25
Corboy Law Room 523
4:15-6:45 Mondays

Privacy
AOL leak
RFID



Loyola's policy on email

Privacy on University electronic mail systems [1997-1998] http://www.luc.edu/its/policy_email_general.shtml

In the section subtitled "Privacy on University electronic mail systems", seven reasons are given why someone else might read your email:

The University community must recognize that electronic communications are hardly secure and the University cannot guarantee privacy. The University will not monitor electronic mail messages as a routine matter. But the University reserves the right to inspect, access, view, read and/or disclose an individual's computer files and e-mail that may be stored or archived on University computing networks or systems, for purposes it deems appropriate. There may arise situations in which an individual's computer files and e-mail may be inspected, accessed, viewed, read and/or the contents may be revealed or disclosed. These situations include but are not limited to:

  1. During ordinary management and maintenance of computing and networking services,
  2. During an investigation of indications of illegal activity or misuse, system and network administrators may view an individual's computer files including electronic mail,
  3. During the course of carrying out the University's work, to locate substantive information required for University business, e.g., supervisors may be need to view an employee's computer files including electronic mail,
  4. If an individual is suspected of violations of the responsibilities as stated in this document or other University policies,
  5. To protect and maintain the University computing network's integrity and the rights of others authorized to access the University network.
  6. The University may review and disclose contents of electronic mail messages in its discretion in cooperating with investigations by outside parties, or in response to legal process, e.g., subpoenas,
  7. Should the security of a computer or network system be threatened

Some possible protections (not actually implemented):

Protection against items 5,7: If your email is examined because we believe your account has been compromised, any contents implicating you on other matters and associated with your legitimate use of your account will NOT be held against you (except in cases of ????)

Protection against 1: If your email is examined accidentally or as part of routine system maintenance, any contents implicating you on any matters will not be held against you (exceptions???)

While these would not be enforceable for staff, as at-will employees, they would be for

Legit: 2, 3 [maybe], 4 [but what grounds for suspicion?] Item 6 could be clearer that outside investigations must be part of law enforcement;


Electronic Communications Privacy Act, 1986

The ECPA was intended to extend the existing restrictions on government wiretaps to other electronic communication, in particular email. However, it also applies to private organizations. It has three exceptions that serve to limit its applicability to employer monitoring (§2511(2)(a))
  1. The provider exception (except  that a provider .. shall not utilize service-observing or random monitoring except for ...quality control checks)
  2. The ordinary course of business exception
  3. The consent exception. (c)

Generally, most employer monitoring falls under one of these. Note that the "provider" exception is a specific feature of ECPA; ownership of the hardware does not create a general right of access and in particular ownership of a telephone system does not create a right to eavesdrop.

Phone surveillance in the workplace
Keystroke monitoring
Location monitoring

Do computers empower workers, or shackle them?

While we're on the topic of ECPA, there is:
    Title I, covering electronic communications in transit (USC Title18 Chapter 119)
    Title II, the Stored Communications Act. (USC Title 18 Chapter 121)
The latter has much less stringent restrictions. Debate continues as to the appropriate category for email messages.

ECPA amended the Wiretap Act of 1968.

US v Councilman

Bradford Councilman ran a website that listed rare books; he also gave email accounts (actually aliases) to booksellers within the domain "interloc.com" (this might be comparable to amazon.com giving email aliases to their associated private sellers, or even ebay). However, Councilman examined these dealer emails in order to develop a competitive strategy (these emails would show what rare books were in demand, for example; apparently the real target was amazon.com).

In the case US v Councilman, the government prosecuted Councilman for interception of email in violation of the EPCA/Wiretap Act. Councilman argued that he only examined the email as it was stored on servers temporarily while being routed to its final destination, and that accessing stored documents did not constitute "interception" for the purposes of the Wiretap Act. The District Court and a 3-judge panel of the Appellate Court agreed with Councilman's theory. In 2005, however, the First Circuit court ruled en banc that, yes, EPCA in-transit rules did apply to data stored temporarily on disks (filesystems) as well.

Note that the issue here is not government access to electronic communications.

Note also that the status of email as it sits in storage remains contentious.

Email differs technically from voice in that as email is forwarded to its destination the full message sits briefly on various intermediate servers. Phone servers store at most a few bits of a voice stream at a time. The First Circuit ruled very definitively that, despite the appearance that email was being stored, the practical understanding was that it was in transit, and as such was protected. This is a good example of the courts rejecting a "technical" argument for the "big picture"; note, however, that the first two courts to hear the case agreed with the technical argument.

The full First Circuit decision is at http://www.ca1.uscourts.gov/pdf.opinions/03-1383EB-01A.pdf



United States v Warshak, 6th circuit decided June 2007, redecided July 2008

This was a case involving government compliance with EPCA. Warshak was a spammer promoting "Enzyte" for "natural male enhancement." He was a suspect in a (different) fraud case. The government got an order from a US Magistrate asking for his email records. The emails were turned over to him.

Eventually Warshak found out about this:
    Warshak: get a search warrant!
    US: all we need is subpoena (much weaker)

Are subpoena rules for email overly broad?
US argument: users of ISPs don't have a reasonable expectation of privacy.

This is clear for employer-provided email, though there's no reason to suppose loss of privacy extends to the government.

But what about commercial email? Here's an imaginary Yahoo Terms-of-service by Mark Rasch, from securityfocus.com/columnists/456/3 :

Because a customer acknowledges that Yahoo! has unlimited access to her e-mail, and because she consents to Yahoo! disclosing her e-mail in response to legal process, compelled disclosure of e-mail from a Yahoo! account does not violate the Fourth Amendment.

The point here is that because Yahoo has access to your email, the gov't thinks that all your email should be treated just like any other commercial records. You have no "expectation of privacy".

The government argued that this case was like the 1976 US v Miller case, where bank records were found NOT to be protected. However, bank records are pretty clearly different from email. For one thing, under the "transaction" theory of privacy, bank records belong to the bank, as well as to you. Email does not belong, in any sense, to your ISP.

Stored Communications Act, part of ECPA
    email stored 180 days or less: gov't needs a warrant
    more than 180 days: warrant, subpoena, or court order
See http://www.usdoj.gov/criminal/cybercrime/ECPA2701_2712.htm
§2703 (a): less than 180 days (b): more than 180 days

Warshak was arguing that the government should need a warrant for ANY of his email.

District court: Warshak won. (Quote from full 6th circuit decision)

The court reasoned that Warshak likely would succeed on his Fourth Amendment claim because internet users have a reasonable expectation of privacy in e-mails, and because the orders authorized warrantless searches on less than probable cause.

3-judge panel of 6th circuit appellate court: Warshak won, June 2007. The decision was far-reaching, not specific to the facts at hand. The decision was by a 3-judge panel. From the ruling:

[W]e have little difficulty agreeing with the district court that individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user "seeks to preserve as private," and therefore "may be constitutionally protected."

October 2007: 6th circuit agrees to en banc review (whole court)

July 2008: full court ruled that the case was not "ripe": broad question was not ready to be addressed.

The ripeness doctrine serves to "avoid[] . . . premature adjudication" of legal questions and to prevent courts from "entangling themselves in abstract" debates that may turn out differently in different settings.

Conventional wisdom as to why the supreme court is not likely to hear the case: they would have to find that the case was "ripe", and they are much more likely to wait for a case where "ripeness" is more evident. (See Eugene Volokh, volokh.com/posts/1176832897.shtml) Traditionally, the courts consider 4th-amendment cases "after the fact".


We're still waiting for a final decision on US v Antoine Jones. The DC Appellate Court overturned his conviction because the GPS monitoring was for more than one or two trips; the Seventh and Ninth circuits ruled differently however.


SMS messages ("text messages")

1. They are often transmitted as cleartext.

2. The government is likely to argue that the 4th amendment does not apply.

3. They are not 'wire communications', and thus escape the Wiretap Act rule that illegally intercepted messages cannot be used against you.

4. Your local police are not likely to be intercepting SMS messages, but it's always a risk. The ECPA does require a court order.

More at https://ssd.eff.org/book/export/html/23


gmail

All gmail is read at google. Just not necessarily by people. Does this matter?

What if Councilman had had automated software read the email, and this software then updated Councilman's book-pricing lists? Is this different from what gmail does, or the same?

What if google searched gmail for inside stock tips, and then invested?

What could google do with the information it learns about you?

What could the government do, if they had access to any of it?

Once Upon A Time, some people laced their emails with words like "bomb" and "terrorist", intended as a troll for the NSA. If you're doing that today you're most likely trolling gmail instead of the NSA. Try lacing your google email with words related to a single hobby with substantial commercial presence (eg tennis), and see what ads you get. (Perhaps the most interesting test would be to choose a socially stigmatized hobby.)



What if your ISP examined your email? Would it make a difference if the reason was:


Suppose google/gmail gets together with commercial entities with information about your shopping. What would it really mean? If the information's use was restricted to more advertising, would any amount of information really matter? Or are there advertising approaches that, by "knowing what strings to pull for you",  are fundamentally unacceptable?

And is there a special concern if this kind of information became available directly? For example, if employers could look up your magazine subscriptions?



RFID

Original reading: Simson Garfinkel, Adopting Fair Information Practices to Low Cost RFID Systems.

Overall survey of active v passive rfid tags. Why they might remain attached to purchased items. RFID tags in identification cards

Differences between RFID and bar codes. In one sense, both types work by being "illuminated" by a source of electromagnetic radiation. In practice, most ordinary materials are not opaque to RFID frequencies, and more information can be stored.

creeping incursions: when do we take notice? Is there a feeling that this "only applies to stores"? Are there any immediate social consequences? Is there a technological solution?

How do we respond to real threats to our privacy? People care about SSNs now; why is that?

Are RFID tags a huge invasion of privacy, touching on our "real personal space", or are they the next PC/cellphone/voip/calculator that will revolutionize daily life for the better by allowing computers to interact with our physical world?

Imagine if all your clothing displays where you bought it: "Hello. My underwear comes from Wal*Mart"
(Well, actually, no; RFID tags don't take well to laundering.)

RFID tags on expensive goods, signaling that I have them: iPods, cameras, electronics

Loyola RFID cards

RFID v barcodes: unique id for each item, not each type readable remotely without your consent

"Kill" function

Active and passive tags

Are there ways to make us feel better about RFID??

Garfinkel's proposed RFID Bill of Rights:

Users of RFID systems and purchasers of products containing RFID tags have:

  1. The right to know if a product contains an RFID tag.
  2. The right to have embedded RFID tags removed, deactivated, or destroyed when a product is purchased.
  3. The right to first class RFID alternatives: consumes should not lose other rights (e.g. the right to return a product or to travel on a particular road) if they decide to opt-out of RIFD or exercise an RFID tag’s “kill” feature.
  4. The right to know what information is stored inside their RFID tags. If this information is incorrect, there must be a means to correct or amend it.
  5. The right to know when, where and why an RFID tag is being read.

What about #3 and I-Pass? And cellphones?

Serious applications:

Technological elite: those with access to simple RFID readers? Sort of like those with technical understanding of how networks work?

2003 boycott against Benetton over RFID-tagged clothing: see boycottbenetton.com: "I'd rather go naked" (who, btw, do you think is maintaining their site? This page is getting old!)

Some specific reasons for Benetton's actions:

Is the real issue a perception of control? See Guenther & Spiekermann Sept 2005 CACM article, p 73 [not assigned as reading]. The authors developed two models for control of RFID information on tagged consumer goods:

Bottom line: Guenther & Spiekerman found that changing the privacy model for RFID did not really change user concerns.

Is there a "killer app" for RFID? Smart refrigerators don't seem to be it.

I-Pass is maybe a candidate, despite privacy issues (police-related) Speedpass (wave-and-go credit card) is another example. And cell phones do allow us to be tracked and do function as RFID devices. But these are all "high-power" RFID, not passive tags.

What about existing anti-theft tags? They are subject to some of the same misuses.

Papers: Bruce Eckfeldt: focuses on benefits RFID can bring. Airplane luggage, security [?], casinos, museum visitors

Does RFID really matter? When would rfid matter?

RFID:

tracking people within a fixed zone, eg tracking within a store:

entry/exit tracking

profiling people
cell-phone tracking: when can this be done?

inducements to waive privacy? having to take products to the "kill" counter and wait in line, or losing warranty/return privileges if the RFID tag is disabled.

RFID shopping carts in stores: scan your card and you get targeted ads as you shop. From nocards.org:

"The other way it's useful is that if I have your shopping habits and I know in a category, for instance, that you're a loyal customer of Coca Cola, let's say, then basically, when I advertise Coca Cola to you the discount's going to be different than if I know that you're a ... somebody that's price sensitive." Fujitsu representative Vernon Slack explaining how his company's "smart cart" operates.

RFID MTA hack? We'll come to this later, under "hacking". But see http://cs.luc.edu/pld/ethics/charlie_defcon.pdf (especially pages 41, 49, and 51) and (more mundane) http://cs.luc.edu/pld/ethics/mifare-classic.pdf.

Passports

See also http://getyouhome.gov

US passports have had RFID chips embedded for some years now. In the article at http://news.cnet.com/New-RFID-travel-cards-could-pose-privacy-threat/2100-1028_3-6062574.html, it is stated that

Homeland Security has said, in a government procurement notice posted in September [2005?], that "read ranges shall extend to a minimum of 25 feet" in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, "the solution must sense up to 55 tokens."

The notice, unearthed by an anti-RFID advocacy group, also specifies: "The government requires that IDs be read under circumstances that include the device being carried in a pocket, purse, wallet, in traveler's clothes or elsewhere on the person of the traveler....The traveler should not have to do anything to prepare the device to be read, or to present the device for reading--i.e., passive and automatic use."

The article also talks, though, about how passports (as opposed to the PASS cards usable for returning from Canada or Mexico) now have RFID-resistant "antiskimming material" in the front (and back?) cover, making the chip difficult to read when the passport is closed.

Currently, passport covers do provide moderately effective shielding. Furthermore, the data stream is encrypted, and cannot be read without the possession of appropriate keys (although it may still identify the passport bearer as a US citizen). An article in the December 2009 Communications of the ACM by Ramos et al suggested that the most effective attack would be to:

The actual information on the passport consist of your name, sex, date of birth, place of birth, and photograph. Note that to be in the vicinity of the customs counter, you generally have to have a paid international airplane ticket (though eavesdropping at highway crossings might also be possible), and forged blank passport books are also relatively expensive. In other words, this is not an easy scam to pull off. Risks to US citizens abroad seem pretty minimal.




Tracking: Printer tracking dots; word .doc format

SSN

see http://cpsr.org/issues/privacy/ssn-faq/

Privacy Act of 1974: govt entities can't require its use unless:

SSN and:

There had been a trend against using the SSN for student records; some students complained that no federal law authorized its collection for student records and therefore state schools could not require it. Alas, while this idea was gaining traction Congress introduced the Hope education tax credits and now it is required that students give their SSN to colleges. Even if they don't intend to claim the credit.

What exactly is identity theft?

National Identity Card: What are the real issues? tracking? matching between databases? Identity "theft"?

Starting on page 85, there's a good section in Baase on stolen data; see especially the table of incidents on page 87. What should be done about this? Should we focus on:

You have to give your SSN when applying for a marriage license, professional license, "recreational" license, and some others. Why should this be? For the answer, see http://www4.law.cornell.edu/uscode/42/usc_sec_42_00000666----000-.html. This is a pretty good example of a tradeoff between privacy and some other societal goal, with the latter winning out.


Old-fashioned examples of government privacy issues, now kind of quaint:

Matching: Should the government be able to do data mining on their databases? In particular, should they be able to compare DBs for:

Should the following kinds of data be available to the government for large-scale matching?

Government data collection: what does this really have to do with computing? The government has resources to keep records on "suspects" even with pencil and paper.

Government and e-privacy:

What if FACIAL RECOGNITION were to really take off? What would be the consequences? There are all those cameras already.

Most arguments today against facial recognition are based on the idea that there are too many false positives. What if that stopped being the case?

What about camera evidence of running lights or speeding?


Commercial privacy:

E-bay privacy - Ebay has (or used to have) a policy of automatically opening up their records on any buyer/seller to any police department, without subpoena or warrant.

This one is quite remarkable. What do you think? Is this ethical?


Medical Privacy- the elephant in the room?

HIPAA (Health Insurance Portability & Accountability Act) has had a decidedly privacy-positive effect here.





Odlyzko and price discrimination

Andrew Odlyzko's 2003 survey paper is at http://cs.luc.edu/pld/ethics/odlyzko.pdf.

What's the real goal behind the collection of all this commercial information? Especially grocery-store discount/club/surveillance cards. There are many possible goals, but here's one that you might not have thought about, in which your privacy can be "violated" even if you are anonymous!

basic supply/demand: one draws curves with price on the horizontal axis, and quantity on the vertical. The supply curve is increasing; the higher the price the greater the supply. The demand curve, on the other hand, decreases with increasing price. However, these are for aggregates.

Now suppose you set price P, and user X has threshold Px.  The demand curve decreases as you raise P because fewer X's are willing to buy. Specifically:

But what you really want is to charge user X the price Px.

Example: Alice & Bob each want a report. Alice will pay €1100, bob will pay €600. You will only do it for €1500. If you charge Alice €1000 and Bob €500, both think they are getting a deal.

But is this FAIR to Alice?

In one sense, absolutely yes.

But what would Alice say when she finds out Bob paid half, for the same thing?

Possible ways to improve the perception of value:

What do computers have to do with this?

Airline pricing: horrendously complicated, to try to maximize revenue for each seat.

Online stores certainly could present different pricing models to different consumers. Does this happen? I have never seen any evidence of it, beyond recognizing different broad classes of consumers. Perhaps it takes the form of discounts for favorite customers, but that's a limited form of price discrimination.

Dell: different prices to business versus education This is the same thing, though the education discount is not nearly as steep now.

Academic journal subscriptions and price discrimination: Libraries pay as much as 10 times for some journals as individuals!

two roundtrip tickets including weekends can be less than one (this example is ~ 2005; all flights are round-trips)   

origin
destination
outbound
return
cost
Minneapolis
Newark
Wed
Fri
$772.50
Minneapolis
Newark
Wed
next week
$226.50
Newark
Minneapolis
Fri
next week
$246.50

If you buy the second and third tickets and throw out the returns, you save almost $300! Airlines have actually claimed that if you don't fly your return leg, they can charge you extra.

The issue is not at all specific to online shopping; it applies to normal stores as well. Sometimes it goes by the name "versioning": selling slightly different versions to different market segments, some at premium prices.


What about grocery stores?

CASPIAN: http://nocards.org

They're against grocery discount cards, also known as club cards or surveillance cards. A big part of Caspian's argument appears to be that the cards don't really save you money; that is, the stores immediately raise prices.

customer-specific pricing: http://nocards.org/overview

One recent customer-specific-pricing strategy: scan your card at a kiosk to get special discounts. nocards.org/news/index.shtml#seg3
Jewel's "avenu" program is exactly this: http://www.jewelosco.com/eCommerceWeb/AvenuAction.do?action=dispLoginPage

One clear goal within the industry is to offer the deepest discounts to those who are less likely to try the product anyway. In many cases, this means offering discounts to shoppers who are known to be PRICE SENSITIVE.

Clearly, the cards let stores know who is brand-sensitive and who is price-sensitive.

Loyal Skippy peanutbutter customers would be unlikely to get Skippy discounts, unless as part of a rewards strategy. They might qualify for Jif discounts.

Classic price discrimination means charging MORE to your regular customers, to whom your product is WORTH more, and giving the coupons to those who are more price-sensitive. Well, maybe the price-sensitive shoppers would get coupons for rice, beans, and peanut butter, while the price-insensitive shoppers would get coupons to imported chocolates, fine wines, and other high-margin items.

"shopper surveillance cards": 1. Allow price discrimination: giving coupons etc to the price-sensitive only. There may be other ways to use this; cf Avenu at Jewel

The idea used to be that you, the consumer, could shop around, compare goods and prices, and make a smart choice. But now the reverse is also true: The vendor looks at its consumer base, gathers information, and decides whether you are worth pleasing, or whether it can profit from your loyalty and habits. -- Joseph Turow, Univ of Pennsylvania

2. segmentation (nocards.com/overview) What about arranging the store to cater to the products purchased by the top 30% of customers (in terms of profitability)? Caspian case: candy aisle was reduced, although it's a good seller, because top 30% preferred baby products. Is this really enough to make the cards worth it to the stores, though?

Using a card anonymously doesn't help here, as long as you keep using the same card!

Using checkout data alone isn't enough, if "the groceries" are bought once a week but high-margin items are bought on smaller trips.

One of the most significant examples of price discrimination is college tuition. The real tuition equals the list price minus your school scholarship. While many scholarships are outside of the control of the school, the reality is that schools charge wealthier families more for the same education.



Privacy wrap-up

Maybe the main point is simply that no one does really care about privacy, at least in the sense of all that data out there about us. One can argue that at least we're consistent: collectively we tend to ignore "rights" issues with software both when it works in our favor (file sharing) and against us (privacy).

One secondary issue with privacy is the difference between "experts" and ordinary people: experts know a lot more about how to find out information on the Internet than everyone else. We'll come back to this "digital divide" issue later, under the topic "hacking", but note that there may be lots of available information out there about you that you simply are not aware of.



Free Speech

The Founding Fathers probably had political speech in mind when drafting the First Amendment:

    Congress shall make no law ... abridging the freedom of speech, or of the press;

Right off the bat note the implicit distinction between "speech" and "the press": blogging wasn't foreseen by the Founding Fathers!

The courts have held that Congress can abridge "offensive" speech. For example: